It’s the old preconception that’s kept security out of the equation for far too long – if cyber gets involved, the whole project is dead, or at least not going anywhere fast. Luckily that dynamic is falling by the wayside, as business leaders have to come to realize that not including security means taking on an unknown level of risk, not only to data systems, but patient safety. To Monique St. John, CISO and Associate CIO at CHOP, innovation and cybersecurity must go hand in hand. And, done right, the two actually move faster and more effectively together. Of course, a caveat is that those hands need to clasp at the beginning of the journey for the partnership to be most fruitful. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, St. John also discusses the critical process of third-party risk management, and how security executives can maintain a healthy work/life balance.
Podcast: Play in new window | Download (Duration: 29:23 — 20.2MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
When we talk about this, it’s really key to ensure that security principles and security responsibilities are embedded across the board, and that there’s balance between innovation and security. It’s not just about being one or the other. In order to do business, you have to be innovative, you have to transform the services, be more efficient, and security really needs to be at the forefront of that to ensure that operations is protected, the data is protected, and that we are really partnering with the business to drive the strategy forward.
It’s my role to make sure that all the facts are lined up, all the risks are outlined with whatever the scenario is – if it’s a solution, if it’s options – and letting the business know, ‘Here’s where we’re at with those risks, the facts, and here are the options that you have to move forward,’ and have them make the decision based on the business need, and having that risk-based approach inform their business decision.
… rely on your team. Develop a team that you can really trust. I say all the time that, yes, there are things that keep me up at night, but what helps me sleep is my dedicated team, or the dedicated team at CHOP. I just went on vacation a couple of weeks ago and didn’t have to worry because the team is solid and they’re committed to CHOP and they’re committed to defending CHOP.
Anthony: Welcome to healthsystemCIO’s interview with Monique St. John, VP, CISO and Associate CIO at Children’s Hospital of Philadelphia. I’m Anthony Guerra, Founder and Editor-in-Chief. Monique, thanks for joining me.
Monique: Thanks for having me, Anthony. Appreciate being here.
Anthony: Very good. Looking forward to having a fun chat. You want to start off by telling me a little bit about your organization and your role?
Monique: Sure. CHOP is a national pediatric health system based in Philadelphia, Pennsylvania. We have two primary hospitals. We are about to launch a third behavioral health center hospital within Philadelphia. We have approximately 50 care centers throughout the region, the Philadelphia-New Jersey region, and we are centrally located within University City Philadelphia, but also have our additional hospital out in King of Prussia, Pennsylvania.
Anthony: Very good. Let’s start off a little bit by talking about titles and roles and things like that. We see quite a bit going on in healthcare. You are currently, as I mentioned, CISO and Associate CIO and at one point, you were CISO and CTO. We know there have been connections between the CISO role and the CTO role, you came at it from infrastructure, that happens a lot. I just wonder your general thoughts on all the roles swirling around. Most people say it can work any number of ways.
Monique: I definitely think that an organization needs a security officer, especially an organization the size of CHOP. We have 25,000 employees, as I mentioned, spread over multiple locations, dealing with several regulatory agencies. So depending on the organization, that will really define what roles are needed, chief technology officer absolutely is needed. As you mentioned, my role was combined. There are other CTSOs (Chief Technology and Security Officers) out in the health industry right now. I know there’s one locally, and it all depends on how the organization wants to structure their team.
At CHOP, information security is an absolute focus and the number 1 area that we look at constantly. So it was important to have a security officer focused just on our security program and protections and layers of defense. Also, because of the digital transformation activities, CHOP really invested in a Chief Technology Officer role to make sure that there was a strategy defined and a road map to get to where we needed to be from a digital transformation perspective as well.
Anthony: Sometimes there can be – a dynamic between the CIO role which you might think of as driving forward and a CISO or a security role which can be a little bit of a, ‘hey slow down, we have to add security to this.’ You know there’s a little bit of a question there with CISOs reporting up to CIOs, which is the majority. I think that’s the majority structure. I think almost no CISOs report to the CEO. But what are your thoughts there on that whole dynamic and ensuring that security never gets shortchanged because it’s under the overall IT structure?
Monique: To me, it’s all about partnering with my colleagues and the executive leadership team at the organization. Information security is not just my role, even though that is my primary responsibility. Information security is really everyone’s responsibility at CHOP. The executive team at CHOP has been very supportive around the security program and having security be at the table at the beginning of the conversation around artificial intelligence, around new opportunities, digital transformation. It’s important that the conversations start with information security being a part of it versus after the fact.
When we talk about this, it’s really key to ensure that security principles and security responsibilities are embedded across the board and that there’s balance between that innovation and security. It’s not just about being one or the other. In order to do business, you have to be innovative. You have to transform the services, be more efficient, and security really needs to be at the forefront of that to ensure that operations is protected, the data is protected, and that we are really partnering with the business to drive the strategy forward.
Anthony: That’s excellent. I did an interview yesterday with a CIO and he was talking about – the health system built a new ambulatory center/clinic, whatever you want to call it, practice, and he was not brought in at the stage when the architect designed the plans. It wasn’t the end of the world, it was a positive story of an ambulatory venue being built out with a lot of technology. That was the point.
But what came out of the conversation was he did come in at least after the plans had been made with the architect and I said, ‘oh, wouldn’t it have been a little bit better if you got to sit down pre-design.’ He said, ‘well yes, right. Because there could have been some things that I could have suggested or done.’
To your point, and my point, is people have to realize and are starting to realize that IT and IT security must be included at the very beginning, right?
Monique: Right. It can’t be the old way anymore, and I’m not saying that it doesn’t happen, and we work together – as I mentioned. I partner with my colleagues to ensure that security is thought about so that it happens the way you just described, but when it’s after the fact, we deal with it. We partner together, we work to really focus on what is in the best interest of CHOP. To do better in the future, we look at lessons learned and determine how do we take that risk-based approach moving forward and having security at the table, and security thought processes at the table, at the beginning.
It’s the same with the technology teams too. Sometimes the technology teams aren’t necessarily at the table when ideas are developed and solutions are starting to be talked about. It’s really important that we look at it from a holistic standpoint where everybody is partnering together on developing the solution as one CHOP versus silos. CHOP is really good about partnering together and creating these working groups to ensure that that holistic approach is taken.
So I understand where the CIO is coming from. I’ve been in that position and I always just strive for us to do better in the future.
Anthony: Yes, definitely. That what can we do better in the future – that’s really about culture change, right? We talk about the old days and where we want to be, where we want to move. It’s like moving a big ship, right, like the Titanic? It’s hard to turn a big ship, it takes time. It takes education. So every time something slips through the cracks or pops up late, again, it’s not ‘no,’ right? It’s not, ‘forget it, you blew it.’ It’s about determining what was broken in this process and fixing it, correct?
Monique: Right. Definitely change management and having those conversations about what didn’t work well and what did work well. I think one of the keys you just mentioned is it’s not always no. It’s how do we work together to figure out what’s right, what’s in the best interest of CHOP, what’s that risk-based approach and what are our options based on that approach.
Information security, I think, is looked at as the no department, and we’re really not. We really just look at risk and determine, ‘okay, here’s how we evaluate those risks,’ and then help the business understand that evaluation and what some options are, depending on what those risks are. It’s definitely a change in approach and a change in perception to steer the ship to, ‘we’re partners in this.’ We are leaders of the organization, not just security, not just technology, not just clinical, we’re leaders at CHOP.
Anthony: You mentioned the term risk-based approach, tell me a little bit about what you mean when you say that.
Monique: Sure. Everything that we do is based on risk and evaluating and assessing what a solution is or isn’t, what our options are and what are the risks inherent in those options and those solutions, and evaluating that to a point where we understand what the probability of that risk is, what the impact would be, and making a decision based on those facts. We want to make really thoughtful decisions and evaluation of those risks, those options, the impact and determining what the risk tolerance is for the business with the business having an active role in that conversation and really being a part of making that decision.
In fact, it is a business decision when we talk about making that risk-based decision. It’s my role to make sure that all the facts are lined up, all the risks are outlined with whatever the scenario is – if it’s a solution, if it’s options – and letting the business know, ‘here’s where we’re at with those risks, the facts, and here are the options that you have to move forward,’ and have them make the decision based on the business need, and having that risk-based approach inform their business decision.
Anthony: Usually in this type of discussion, are we usually talking about an application that’s been requested by a user? Is that what we’re thinking here or are you thinking of other things as well?
Monique: It could be really anything. It could be software. It could be the use of data. It could be implementing a new solution. It could be an artificial intelligence-type learning module that they want to be implemented. It could be a number of things, hundreds that could come up within different use cases within the CHOP business.
There’s a lot of tools that people see on the consumer market that they want to bring in-house. I get calls constantly, ‘can we do this,’ and when we evaluate it, we have to evaluate not only the tool but the vendor and the vendor profile; and that leads into third party risk management.
There’s a lot of risk relating to bringing in a third party that has access to possibly the network, the data, and that may be employee data, healthcare data, student data, any data that CHOP would have, research data. It’s important that that’s evaluated. I don’t want to necessarily go down a third-party risk rabbit hole, but there are things that we need to make sure are looked at, and it’s not just one area, it’s multiple areas of risk that we need to evaluate as solutions are asked for and as requests come in.
Anthony: That’s great stuff. You mentioned a couple of different types of scenarios where you would want to assign a risk level that you would communicate back to the business. As you’re listing these, I started to think that I could totally see many scenarios where they don’t come to IT security and they say, ‘well, I didn’t know for this particular thing, I didn’t even know I needed to come to you, so sorry.’
Monique: Right. So there’s processes that we follow within digital and technology services where there’s onboarding processes for new solutions, new software, new hardware, new integration points within the current systems. There’s a formal process that is pretty widely known within CHOP on how to submit for a new project or a new implementation.
There’s always going to be those things where people say they didn’t know, and that’s where the partnership aspect comes in – making sure that I am out talking to my colleagues, having road shows, information security road shows, and really just talking through what the risks are, what we look for, what individuals can do, their individual responsibilities, and part of that is knowing the policies and procedures that are really standard within CHOP.
Anthony: Right. So a request comes to you, you look at it and assign some risk level to it. I’m sure I’m being over simplistic, but something like red, yellow, green. Just take me through how it works after that.
Monique: It all depends on what the risk is. Let’s take, for example, a software vendor. We have an employee submit a request for it, ‘I want to use this.’ We review the vendor, and the vendor needs to have certain data points and information security protections in order for us to be okay with the vendor, be okay with the vendor profile, the risk profile of the vendor, and that’s all about third party risk management, to evaluate that vendor and ensure that it’s okay.
At that point in time, the vendor is providing certain protections and details within their company on how they handle information security, layers of defense and protections. There are some that come through green, like you mentioned, where they’re doing everything right. They have encryption with their data and different layers of protections where we sign off that, ‘yes, this looks great. This vendor appears to have a profile that is on point.’ We actually use a third party service for some of that analysis to ensure that we have an objective review of that vendor and the vendor’s protection levels.
There are times when a vendor will come back where there are risks associated with things. Maybe they don’t use multi-factor authentication within their application. That’s actually a red flag for us. It’s: you either fix that or we don’t onboard you. That’s a pretty hard stop. There’s things like that, that I need to partner with the business unit and my business colleagues to say, ‘okay, this vendor is coming back. It’s saying they don’t have this protection,’ and we’re going to use multi-factor as an example.
That business partner and I usually partner to have a conversation with the vendor, or my team does, in regards to, ‘okay, can they get it on their road map, by what time,’ and really have a conversation with the vendor. It’s a hard no and not to onboard for CHOP (without MFA) but we do try to work with vendors to see how can we make it possible, and can they work with us to streamline that implementation over a course of months in order for us to be able to work with them.
Anthony: Lots of good stuff in there. I just want to go into a couple of those points you made. You mentioned you use a third party service for some of this analysis which makes a lot of sense.
I did an interview with a CISO the other day and she said she was very frustrated and not happy and not satisfied, not content with the current questionnaire dynamic. She thought it was useless and a lot of work for not a lot of comfort and didn’t provide a lot of confidence. She said there’s got to be a better way. You’ve got this third party which sounds like one of the better ways as opposed to just trusting, right? Tell me a little bit about that.
Monique: Right. And with all of these, it only covers a point in time that we do the risk analysis and we get the questionnaire back. (We still do questionnaire-based risk assessments as well.) It’s a point in time on that security posturing, that feedback from the vendor. The third party helps us coordinate all of those data points where the team doesn’t necessarily have to go through the questionnaire and cross check.
Yes, I agree, there should be a better way. But it is such a high risk, we have to do something. Using that vendor has helped us streamline to the point where we not only are doing risk assessments at the beginning of contracts, we’re doing them mid contracts too. We are maturing the process to evaluate our vendors throughout the contract life cycle so that it’s a constant process versus just one-time, especially as I just mentioned, when you receive a risk assessment and that data, it’s really a point in time, as of today.
So we do want to make sure, especially with our core vendors and our critical platforms, that we are evaluating risks and the vendor’s risk profile mid-way through the contract and just to do that cross check, to make sure that we are not just waiting until three years down the road.
We want to make sure, additionally if something were to come up, that we’re partnering with the vendor and remediating that, and that’s something that this third party company helps with too. That’s one of the positives of using a third party to help with those assessments is that if they do flag something within that vendor profile, they will work with the vendors to help remediate it – and at least quarterback the remediation – so that the CHOP information security team doesn’t have to do that.
Anthony: Very good. A little follow up on what we were talking about, about the risk assessment delivered to the business user and the example you gave for the multi-factor authentication, you said, ‘that’s not happening,’ basically. ‘We’re not doing this.’ That’s a case essentially where IT security has come back and said, ‘not as it currently stands, now here are your options,’ or whatever, ‘we can talk to them but as it currently stands, it’s a no.’
There are some scenarios where that happens and I would imagine there are some scenarios where it’s, ‘okay, here’s the results of our risk assessment,’ let’s say it’s mid level risk, ‘you decide,’ right? We’re not deciding because it’s not bad enough that we’re absolutely putting our foot down as IT security. It’s not bad enough for that. But there are some risks here, so you decide. Does that make sense?
Monique: If we’re moving off of the multi-factor conversation, right, you’re just talking about a general risk?
Anthony: Yes, yes, exactly. We’re moving off of multi-factor which we said was red flag, big problem.
Monique: Okay.
Anthony: Now, we’re into a, the overall report is medium level risk.
Monique: Part of my role as a trusted adviser is providing all of the facts and the risks, and having a conversation with the business on what the risks are, what their options are and really leaving it up to them on making the decision based on their business need. There’s been a lot of conversations between myself and my colleagues regarding risks and their options and determining what way they need to go based on what the business need is and that is my role – to make sure that I’m evaluating the risk, that as a CHOP leader I’m partnering with them, my colleagues, in regards to what they need to do and what the business need is and really providing and presenting all the factual options around what they could be doing, and it’s not just a one-sided option approach, I just want to make sure that’s clear.
When we look at options, it’s from a business perspective, it’s from a legal perspective. It could be from a supply chain perspective. There’s a multi-disciplinary team of people making these recommendations.
Anthony: Yes, it could be clinical too.
Monique: Absolutely.
Anthony: Super clinical app and they say, ‘well, Monique, there’s only this one company and they’re amazing and they do this very unique thing.’ Okay, maybe we’ll accept a little more risk. Whereas, if you could come back and say or together you find that the risk is a little high and there’s three other vendors that do the same thing, so maybe we look at them, right? These are all things you take into account.
Monique: Right. There’s times where we talk to the vendor to see how we can work together. If something isn’t baked into the application that CHOP needs to have in there, how can we work together, what’s the timeline, are they willing to partner with us? If they’re not, okay, let’s work with the multi-disciplinary team on what other options that we have. Because it’s not just an information security decision.
Anthony: Yup, excellent. Let’s touch on just a few other things. Fourteen years at CHOP, lots of longevity there. I talked to a CIO the other day I’m very friendly with. He said the CISO role is the hardest one out there. It’s a lot of pressure.
Monique: Right. It is a lot of scope and scale and a lot of pressure. My recommendation is to one, rely on your team. Develop a team that you can really trust. I say all the time that yes, there are things that keep me up at night, but what helps me sleep is my dedicated team or the dedicated team at CHOP. I just went on vacation a couple of weeks ago and didn’t have to worry because the team is solid and they’re committed to CHOP and they’re committed to defending CHOP. I think that’s first and foremost is lean on your team because you’re all in this to protect CHOP and protect each other and making sure that there is balance.
The second thing is to have that balance, to have that outlet and to be able to disconnect. It is very important to know that you can disconnect and work is going to be there when you get back. One of the things that I mentioned to my team is I trust that they’ll call me if they need me. Otherwise, I’m going to enjoy my vacation and be refreshed getting back because it’s just as important for me to refresh for the team as well.
Then, the work-life balance is absolutely key and people talk about it. But I’m not sure if many people ever live it. But it’s making sure that you’re not constantly working, and I really look at my hours when I’m on and when I’m looking at email and really disconnecting at certain times and being able to, when I can disconnect, and do things I like from a personal level. I think it’s really important even during the day. I do work a lot because security doesn’t stop. It’s pretty much a 24×7 job. If there’s things that I could be doing during the day, especially if I’m on very early in the morning or very late at night, I make sure that I balance my workload that way.
Anthony: Yes, that’s great stuff. I interviewed a CISO the other day and he talked about having a hobby as being critically important, something that occupies your mind in a different way.
Monique: Right. You need somewhere for your mind to go so it’s not concentrating on work all the time, 100%.
Anthony: You still swimming? I read that you’re quite the swimmer.
Monique: I am still swimming and that’s something that definitely keeps me occupied. I can’t bring a phone in the pool with me so that helps with my work-life balance (laughing). I’m constantly swimming in New Jersey and at local pools within the Philadelphia area, and that is something that I maintain my work-life balance with 100%.
Anthony: Do you promise that you don’t think about cybersecurity while you’re doing your laps?
Monique: I absolutely don’t (laughing). It’s hard enough just to think about breathing, let alone something else. It’s definitely something I’m able to disconnect with and literally meditate with.
Anthony: That’s wonderful, Monique. That was perfect. I want to thank you so much for your time today. I think people are going to enjoy this. Thank you.
Monique: Thanks for your time, Anthony. Glad to be here.
Share Your Thoughts
You must be logged in to post a comment.